lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201103174744.GB23992@redhat.com>
Date:   Tue, 3 Nov 2020 18:47:44 +0100
From:   Oleg Nesterov <oleg@...hat.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Mark Mossberg <mark.mossberg@...il.com>, tglx@...utronix.de,
        mingo@...hat.com, x86@...nel.org, linux-kernel@...r.kernel.org,
        hpa@...or.com, jannh@...gle.com, kyin@...hat.com
Subject: Re: [PATCH v2] x86/dumpstack: Fix misleading instruction pointer
 error message

On 11/03, Borislav Petkov wrote:
>
> On Tue, Nov 03, 2020 at 01:50:34PM +0100, Oleg Nesterov wrote:
> > Another problem is that show_opcodes() makes no sense if user_mode(regs)
> > and tsk is not current.
>
> Because if not current, we would access *some* user address space but
> not the one to which regs belong to?

Yes, because if not current, copy_from_user() will access the current's
user address space at address = foreign process's regs->ip.

> > Try "echo t > /proc/sysrq-trigger".
>
> What am I looking for?
>
> I see a bunch of:
>
> [   37.622896] Code: Unable to access opcode bytes at RIP <user address>

this means that foreign_regs->ip is not mmapped,

> and three Code: lines with opcode bytes, as expected:
>
> [   37.148693] Code: 11 0d 00 48 89 c6 4c 89 ef e8 98 07 00 00 48 83 f8 ff 0f 84 3e 02 00 00 48 3b 05 b7 28 0d 00 48 89 c3 0f 83 b5 00 00 00 48 8b <0d> e7 10 0d 00 48 83 f8 0d 76 13 48 b8 28 75 6e 72 65 61 63 68 48

I'd say this is NOT expected and adds the unnecessary confusion.
./scripts/decodecode reports

	...

	Code starting with the faulting instruction
	===========================================
	   0:	0d e7 10 0d 00       	or     $0xd10e7,%eax
	   5:	48 83 f8 0d          	cmp    $0xd,%rax
	   9:	76 13                	jbe    0x1e
	   b:	48 b8 28 75 6e 72 65 	movabs $0x68636165726e7528,%rax
	  12:	61 63 68
	  15:	48                   	rex.W

and this is because foreign_regs->ip happens to be a valid address in current->mm.

> I'm thinking this should not use the atomic variant if it can get called
> in !atomic context too.

For what?

Oleg.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ